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© Teleconferencing method for a secure key management system. 



© A secure teleconferencing method for a key management system is shown. This method directly establishes 
a secure teleconference among a number of terminals without the intervention of a certifying authority. The 
terminals (A-D) of this system have been previously certified by a common certification authority. Upon detection 
of a secure teleconference, the terminals orient themselves in a master/slave (1-16,22,23) configuration. The 
terminals exchange certification messages (24-43,45). As a result, each terminal determines the identity of the 
other terminals (44,46). Under the supervision of the master terminal, the terminals establish a single session, 
session key which permits secure communication among the terminals (47-58). A new session key is randomly 
generated for each teleconference call. A minimum number of messages is exchanged to establish the secure 
teleconference. 



CO 
00 

o 

CM 



HI 



Xerox Copy Centre 



EP 0 402 083 A2 



TELECONFERENCING METHOD FOR A SECURE KEY MANAGEMENT SYSTEM 



Background of the Invention 



The present invention pertains to secure communications among users of a key management system 
and more particularly to a method for providing secure teleconferencing through the use of an unforgeable 
certification process. 

In modern day telephony, specialized circuitry within the switching system provides for teleconferen- 
cing. Teleconferencing is simultaneous voice or data exchange between three or more users of a 
communication system. Typically, specialized networks and circuitry within the network of a switching 
system provide for interconnecting a number of usersin a teleconference. 

In secure communications systems, the problems of establishing connections among multiple users for 
voice or data exchange is further complicated by various security protocols. Establishing a secure 
teleconference between multiple users via a secure network of a switching system is very difficult. This is 
due to the fact that the terminal devices in a secure teleconferencing system may demand point-to-point, 
on-line establishment of traffic keys. 

Further, establishing a session key between terminal devices connected to a secure network of a 
switching system requires transmission of many messages between the system and the users. This is very 
cumbersome and time consuming. 

An object of the present invention is to provide a method to enable any number of terminal devices 
connected to a switching network to establish a secure conference arrangement by establishing an 
unforgeable certification method to provide a single session traffic key with a minimal number of point-to- 
point message exchanges between the terminal devices. 



Summarv of the Invention 



In accomplishing the object of the present invention, a novel teleconferencing method for a secure key 
management system is shown. 

A secure teleconferencing method is achieved among a number of interconnected terminals via a 
switching network. Each of the terminals have previously been certified by a common authority. The secure 
teleconferencing method first establishes that all the teleconferenced terminals have previously been 
certified. Each terminal established that all the remaining terminals have been previously certified by a 
common authority. Then, the terminals collectively develop a unique, single session, session key for 
providing secure voice and data communication among the interconnected terminals. 



Brief Description of the Drawing 

FIG. 1 is a block diagram of a teleconferencing arrangement via a switching network. 
FIGS. 2A and 2B are flow charts of a secure teleconferencing method embodying the principles of 
operation of the present invention. 

FIGS.3A and 3B are timing diagrams of inter-terminal message transmission. 
FIG. 4 is a block diagram depicting the exclusive-OR operation of each terminal. 

Description of the Preferred Embodiment 



FIG. 1 depicts a number of terminals (A, B, C and D) connected to a switching network. This switching 
network includes circuitry which can provide for teleconferencing among these four terminals. Four 
terminals are shown here by way of example and not by way of limitation. Almost any number of terminals 
may be connected in the teleconferencing arrangement. The only limitations are the number of terminals 
which may physically be interconnected by the switching system. 

In the present system, each of the terminals is a secure voice and data terminal. Each terminal includes 
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the present secure teleconferencing method. This method may typically be implemented in software. 
However, hardware implementations are also possible. 

The secure terminals A-D are designed for both full duplex and half duplex voice and data communica- * 
tion. Half duplex voice and data communication takes place over two wire communication networks. Full 

5 duplex voice and data communication occurs over four-wire telecommunication networks. For full duplex 
transmission, information is received and transmitted over two separate pairs of wires (channels) simulta- 
neously. In half duplex transmission, a terminal puts energy on the line only when transmitting Information. 
When its transmission is complete, its energy is removed allowing another terminal to transmit on the same 
channel. Teleconferencing is much more straight forward in the half duplex configuration, since energy is on 

70 the line only when a particular terminal is transmitting. 

The present method pertains more readily to the half duplex communication mode. However, via time 
sharing existing channels or establishing a new channel, one per added terminal, this method is also 
applicable to the full duplex transmission mode. Each of the terminals A-D include a half duplex modem. 
Each terminal includes input devices such as a push button for indicating that the teleconferencing mode is 

is selected and that the secure mode is selected. Each terminal also includes the ability to display the identify 
of each of the other teleconferencers. These identities may be scrolled on a visual display for the user of 
each terminal. 

For security, each of the terminals employ a type of asymmetric RSA public encryption and private 
decryption process. The encryption process is noted by EM and the decryption process is noted by DM. 

20 Turning now to FIGS. 2A and B, the secure teleconferencing method is shown. First, the users go off 
hook, block 1. Next, all the users are established in an unsecured teleconferenced arrangement via a 
usually switching system procedures, block 2. This is accomplished in the typical manner through 
conference circuitry in the switching network. The call or data transmission at this point is unsecured. 

To accomplish the teleconference, each of the users of terminals A-D selects the conference mode via 

25 pushing a conference push button on his or her terminal. Next, one of the users presses the. secure key on 
his or her terminal, block 3. This serves two functions. First, that terminal becomes the master terminal for 
controlling the teleconference function. Since all of the terminals include the present method, any of the 
terminals may be the master for the teleconference. The determination of the master terminal for 
teleconference is determined by the first to press the secure key on his terminal. 

30 The second function of the master terminal is to transmit its access domain message in half duplex to 
each of the other conferenced terminals. To accomplish this, the master transmits P1800 data, block .3, 
stops transmitting for 256 bits (block 4), and sends P1800 data of 776 bits (block 5) followed by SCR1 data 
(scrambled ones for synchronization), block 6. Meanwhile, the slaves are set in the half duplex mode, block 
7. The slave confirms the stop gap, block 8. The slaves detect the P1800 data, block 9, and train their 

35 modem to receive, 10. The master sends the access domain message (ADM), 11. This is followed by an 
end of message (EOM) indication, block 12. 

Next, each slave receives the access domain message and stores it for later processing, block 13. The 
access domain messages of the master and other slave terminals are processed when the master's 
authentication message has been received. 

40 The transmission of master's access domain message occurs as shown in FIG. 3A. The master first 
sends a P1800 protocol, followed by a gap, followed by another P1800 protocol, an SCR1 (scrambled 1's 
and 0*s for modem synchronization) bit stream and then the bit stream of the access domain message, 
followed by an end of message (not shown). Each slave then responds in an appropriate time slot, is 
determined by a queue index function. This queue index function may be implemented in a number of 

45 ways, such as, a strictly arbitrary sequence. 

The master terminal then sets its modem in the receive mode, blocks 14 and 15. 
Next, each slave in the teleconference responds with its access domain message in the selected time 
slot. Since the slave terminals have received the master's access domain message, the NO path has been 
followed from block 16 to block 17. Next, it is the slave's turn to send its access domain message, the YES 

so path is followed from block 17 to block 18. In FIG. 3A. slave 1 responds with its P1800 protocol (block 18) 
followed by SCR1 (block 19), and its access domain message ADM block 20 followed by EOM, block 21. 
Similarly, each slave responds in its time slot. Slave 2 responds in time slot 2. Slave n responds in time slot 
n. The master terminal receives all the access domain messages of each of the slaves, block 22. Block 23 
determines whether all the slaves have responded. If all the slaves have not responded, block 23 transfers 

55 control to block 14 to wait for a response. When all the slave terminals respond, the master (block 24) 
processes the access domain messages of each of the slaves. 

Next, the master sends its authentication message to each of the slaves, blocks 25 through 28. The 
authentication message of the master terminal is given by equation (1 ). 
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AM m = [(ID™ sleri EM master )]xDM kca Equation (1) 

The Authentication Message identifies the particular master terminal, its public or encrypt key and the 
private decrypt key of its certification authority (KCA). This message is valid only if it Is certified by the key 
certification authority. Further, each of the other terminals may decode this message only if they are 

5 certified under the same key certification authority. 

Block 16 determines for each slave terminal that this is the authentication message. As a result, block 
16 transfers control to block 29 which processes the master access domain message (ADM m ) and the other 
slaves 1 access domain messages (ADM sn S). Once the access domain messages have been thereby 
exchanged, each terminal can determine the identity of the terminal to which it is connected via the 

70 teleconference and that they are certified by a common certifying authority such as a KCA. FIG. 3B depicts 
this transmission of the master. This transmission consists of the 1800 protocol followed by the SRC1 bits, 
followed by the authorization message and an EOM (not shown). The master terminal sets itself to receive 
the authentication messages of the slaves, blocks 31 and 32. Next, each slave terminal processes the 
authentication message of the master (AM m ), block 30. Each slave terminal generates a unique random 

is number (RN s )and a random component message (RCM) from the random number, block 33. The RCM is 
made by encrypting the slave's unique random number in the master's public key as shown in Equation (2). 
(RN s(n) ) X EM master = RCM s(n) Equation (2) 

Each slave, then, stores a copy of its unique random number for later use in the final stages of this process. 
Each slave then responds in its appropriate time slot with its authorization message followed by its random 
20 component message. The slave authorization message is similar to the master's authorization message, it is 
shown in Equation (3). 

AM S = [<iD SIavef EM S i ave )]XDM kC3 Equation (3) 

It includes the identity of the slave, the public key of the slave covered by the private key of the certifying 
authority or KCA. 

25 When each slave determines that its time slot is present, that slave "broadcasts" its authorization 
message (AM S ), block 34, The slave terminal initialize its modem, blocks 35 and 36. Next, the authorization 
message (AM S ) and random component message (RCM S ) of each slave is transmitted to each of the other 
slaves, including the master terminal, block 37, followed by an end of message (EOM), block 38. Block 38 
transfers control to block 34. Since this slave terminal has transmitted Its AM S and RCM S , block 34 transfers 

30 control to block 39. 

The transmission for slave 1 is shown in FIG. 3B. First the 1800 protocol is sent, then the SCR1 bits, 
the authorization message of slave 1, followed by approximately 200 milliseconds of filler which is a 
predefined binary bit pattern and finally the random component message of the slave 1 and end of 
message indication (not shown). Each slave similarly responds in its assigned time slot. 
35 Each slave terminal sets its modem to receive the other terminals AM S and RCM S messages, blocks 40 
and 41. Each slave terminal receives the other slave terminals, AM S and RCM S , block 42. Also, simulta- 
neously the master terminal receives each of the slave terminals' AM S and RCM S messages, block 43. 

When all the slave terminals have responded, each block 39 of each slave terminal transfers control to 
block 44. Simultaneously, when the master terminal has received all the AM S and RCM S messages, block 45 
40 transfers control to block 46. 

The random component message of each terminal includes a unique random number generated by that 
terminal. This random number is transmitted to the master terminal and is also stored within the terminal. 
The random number is encrypted with the master's public key to form the random component message. 
Therefore, even through all of the other slave terminals in the teleconference may receive the RCM, they 
45 will not be able to decrypt it. 

As a result of these transmissions, each slave terminal receives all the authorization messages of the 
other terminals. Each slave then processes each of the authorization messages of the other slaves, block 
44. This includes extracting the identity of each of the other slaves which have been covered by the private 
key of the certifying authority. The identity of each of the slaves is then scrolled on a viewing device of the 
so terminal in the order in which they are received. As a result, each terminal has established the certified 
identity of each of the other conferees. 

The master terminal has also received each of the authentication messages of the other terminals and 
processed them similarly to that described above for the slave, block 46. Next, the master decrypts each of 
the slave's random component message, block 46. Since each of the slave's random component message 
65 has been covered with the master's public key, the master may decrypt them by applying his private key 
since this is an asymmetric or one-way function. Each slave sets its modem to receive a message from the 
master terminal, blocks 47 and 48. 

When the master terminal receives each of the authorization messages, it decodes each of the other 
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terminals' identification. In addition, the master terminal then scrolls each of the identities of the slave 
terminals on each visual display on the terminal. Next, the master terminal decrypts each of the slave's 
random component message. Since each of the slaves have covered their random component with the 
master's public encrypt key, only the master is able to decode each of the random component messages 

5 by application of his private decrypt key. The random component is a predetermined number of bits of 
information. The random component is, as its name implies, generated randomly by each of the terminals. 
The larger in terms of bits the random component is, the more difficult this component is to determine for 
purposes of listening. As a result, the master terminal obtains each of the slave terminals random 
components. In addition, the master terminal has stored its previously generated random component. 

70 Next, the master terminal generates a set of random numbers based upon each of the slave's random 
numbers and the master's random component or number, block 49. The equations for generating this set of 
random numbers are shown by Equation Set (4). 

RNs (l)+RNs (2)+ . . • RN3)n-l) +RNm - RNS (n) ' 

RNs <l)+RNs (2)+ . . . RNs(n-2)+RNs(n)+RNm = RNs(n-l)' 

RNs (l)+RNs (2) + . . . RNs<n-3)+RNs(n-l)+RNs<n)+RNm -= RNs (n-2) ' 



• *•••* » • » 

20 RNs(l) + RNs (3) + . . . RNs (n) + RNm = RNs (2) ' 

RNS (2) '+ RNs<3) + . . . RNs (n) + RNm « RNs (1) f 

Equation Set (4) 

25 

Examining the last equation of the sets of equations in Equation Set (4) as an example, it can be seen 
that the new random number for slave 1 RNs(1)' is comprised of each of the random numbers of the other 
slaves and the master. These random numbers are exclusive-ORd. Each of the + symbols represents an 
exclusive-OR operation. The new random number for slave 2 RNs(2) is an excIusive-OR of ; each of the 
3Q other terminal's random numbers except terminal 2. As a result, the master terminal generates one new 
random number for each of the terminals in the teleconference which is an exclusive-OR of all the other 
terminals in that teleconferenced random number except the terminal to which that random number is to <be 
sent. 

The terminal to which the random number is to be sent has previously stored its own random number. 
35 Therefore in FIG. 4, when a given terminal receives the new random number from the master terminal, it 
must simply exclusive-OR 99 its own stored random number with the primed random number sent from the 
master terminal. As a result, the terminals have developed a session key. This session key is useful only for 
this session and is generated for each teleconference call. The generation and transmission of the session 
key also obeys the "two-man rule", in that interception of a single message will not result in obtaining the 
^ random component and hence, the session key. 

The master terminal covers each of the newly generated primed random numbers with the public 
encrypt key of the slave terminal to receive that random number as shown in Equation Set (5): 

[RN ( 1) ' ] xEMslavel - RCMm(l) 
45 [RN<2) ■' ]xEM s lave2 = RCMm(2) 



{RN(n-l) ' ]xEM s iave(n-l) = RCMm(n-l) 
{RN(n)']xEM s i a ve(n) ~RCMm(n) 

Again, since the new primed random number is covered by the slave public encrypt key, only that particular 
slave may decode using his private decrypt key the new primed random component message. The master 
generates one such random component message for each slave, covering that message with the slave's 
public encrypt key. 
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Next the master generates a crypto synchronization pattern (CS), block 50. The master terminal now 
formats the final secure call setup message. This message is formulated with the P1800 protocol (block 51) 
followed by the SCR1 information (block 52), followed by the random component message of each slave in 
the appropriate time slot. A predetermined amount of filler bits follow the last random component message. 

5 After the filler bits, the crypto synchronization message is sent to all terminals by the master. The crypto 
synchronization message indicates the point at which the symmetric encrypt/decrypt function is to begin. 
The master terminal then transmits the formatted message (corresponding primed random number) 
followed by crypto synchronization message, block 53. followed by an EOM, block 54. 

Each slave terminal then receives its new primed random component message, block 55. In addition. 

10 each terminal receives the crypto synchronization message, block 56. Next, each terminal processes the 
new primed random component message by exclusive-ORing the primed random component which it 
received with its own previously stored random component, block 57. This exclusive-OR produces a 
session key. Each of the terminals now have this session key. Therefore, this session key may be used by 
each terminal's symmetric encrypt/decrypt process to provide secure communications between each of the 

is terminals in a teleconferencing arrangement. A minimal number of messages has been used to achieve 
security. 

Lastly, each terminal processes the crypto synchronization message, block 58. This starts each of tTVe 
symmetric encrypt/decrypt functions at a predetermined point. Therefore, since each terminal has the key 
and the starting point, it can encode and decode information transmitted to and received from the other 
20 terminals in a secure manner. 

Although the preferred embodiment of the invention has been illustrated, and that form described in 
detail, it will be readily apparent to those skilled in the art that various modifications may be made therein 
without departing from the spirit of the invention or from the scope of the appended claims. 
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Claims 



1. A secure teleconferencing method for a key management system included a plurality of terminals (A- 
D) previously certified by a common authority of said key management system, said secure teleconferen- 

30 cing method comprising the steps of: 

connecting (1-2) at least three of said terminals in an unsecure teleconference call via a switching network; 

selecting (3-6.11,12) any one of said connected terminals to be a master terminal; 

selecting (7.9,10,13,16) all of said connected terminals, except said master terminal, as slave terminals; 

establishing (44,46) by each terminal that each of said remaining connected terminals is certified by a 
35 common certification authority; 

directly developing (46-58) a single-session session key among said connected terminals; and 

initiating a secure teleconference call among each of said connected terminals to provide for secure voice 

and data communication among said connected terminals. 

2. A secure teleconferencing method as claimed in claim 1, wherein said step of establishing includes 

40 the steps of: , 

transmitting (11) an access domain message from said master terminal to each of said slave terminals; 
receiving (13) said access domain message by each of said slave terminals; 

determining (29) by each of said slave terminals whether said master terminal and each said slave terminal 
have a common access domain; 
45 responding (33) by each of said slave terminals to said master terminal with an access domain message of 

each said slave terminal; and 

determining (24) by said master terminal whether each of said slave terminals and said master terminal 
have a common access domain. 

3. A secure teleconferencing method as claimed in claim 2, wherein there is further included the step of 
. so organizing (16,22) transmission and reception of each of slave terminals into time slots for the transmission 

and reception of messages by each of said terminals. 

4. A secure teleconferencing method as claimed in claim 3, wherein there is further included the step of 
determining (23) by said master terminal whether each of said slave terminals has transmitted its access 

' domain messages. 

55 5. A secure teleconferencing method as claimed in claim 4, wherein said step of establishing further 
includes the steps of: 

transmitting (27) by said master terminal an authentication message including an identity of said master 
terminal to each of said slave terminals; 
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receiving (30) by each of said slave terminals said authentication message of said master terminal; and 
determining (30) by each of said slave terminals the identity of said master terminal. 

6. A secure teleconferencing method as claimed in claim 5, wherein said step of establishing further 
includes the steps of: 

5 transmitting (37) by each of said slave terminals a corresponding authentication message including an 
identity of said corresponding slave terminal to said master terminal; 

receiving (43) by said master terminal each of said authentication messages transmitted by each of said 
corresponding slave terminals; and 

determining (46) by said master terminal the identity of each of said slave terminals. 
70 7. A secure teleconferencing method as claimed in claim 6, wherein there is further included the step of 
determining (45) whether said authentication message of each of said slave terminals has been received by 
said master terminal. 

8. A secure teleconferencing method as claimed in claim 7, wherein there is further included the steps 

of: 

15 displaying (46) by said master terminal said identity of each of said slave terminals; and 

displaying (44) by each of said slave terminals said identity of said master terminal and said identity of 
each of said slave terminals, except said slave terminal which is displaying. 

9. A secure teleconferencing method as claimed in claim 8, wherein said step of directly developing 
includes the steps of: 

20 generating (49) by said master terminal a random number; and 
storing (49) by said master terminal said random number. 

10. A secure teleconferencing method as claimed in claim 9, wherein said step of directly developing 
further includes the steps of: 

generating (33) by each of said slave terminals a corresponding random number; 
25 storing (38) by each of said slave terminals said corresponding random number; and 

transmitting (37) by each of said slave terminals said corresponding random number to said master terminal 
in an appropriate time slot. 

11. A secure teleconferencing method as claimed in claim 10, wherein said step of directly "developing 
further includes the step of generating (49) a set of random numbers by said master terminal, each random 

30 number of said set corresponding to each of said terminals. 

12. A secure teleconferencing method as claimed in claim 11, wherein said step of generating a set of 
random numbers includes the steps of: 

generating (49,99) a random number corresponding to each of said terminals connected in said telecon- 
ference, each random number being an exclusive-OR of each of said set of random numbers corresponding 
35 to each terminal, except said random number corresponding to one terminal which is to receive said 
random number; and 

transmitting (53) by said master terminal each corresponding random number of said set of random 
numbers to said corresponding terminal in an appropriate time slot. 

13. A secure teleconferencing method as claimed in claim 12, wherein said step of generating a set of 
40 random numbers further includes the step of encrypting (49) said set of random numbers with an 

asymmetric RSA-type function. 

14. A secure teleconferencing method as claimed in claim 13,wherein said step of establishing further 
includes the steps of: 

receiving (55) in said appropriate time slot by each of said slave terminals said corresponding one of said 
45 set of random numbers; and 

exclusive-ORlng (57) said random number stored by said slave terminal with said received one of said set 
of random numbers to produce said session key. 

15. A secure teleconferencing method as claimed in claim 14, said step of establishing further including 
the step of exclusive-ORing (46) by said master terminal each of said random numbers transmitted by said 

so slave terminals with said stored random number by said master terminal to produce said session key. 

16. A secure teleconferencing method as claimed in claim 15, wherein said step of initiating includes 
the steps of: 

generating (50) a crypto synchronization message by said master terminal; 
transmitting (53) said generated crypto synchronization message to each of said slave terminals; 
55 receiving (56) by each of said slave terminals said crypto synchronization message; and 

initializing (58) with said crypto synchronization message a symmetric encrypt/decrypt function of each of 
said connected terminals. 

- - - I7r A secure teleconferencing method via a switching .network for establishing a secure teleconference 



7 



EP 0 402 083 A2 



among a plurality of interconnected terminals (A-D) which have been previously certified by a common 

authority, said secure teleconferencing method comprising the steps of: 

selecting (3-6,1 1 ,12) any one of said connected terminals to be a master terminal; 

selecting (7,9.10,13,16) all of said connected terminals, except said master terminal, as slave terminals; 

establishing (44,46) by each terminal that each of said remaining interconnected terminals is certified by a 

common certification authority; 

directly developing (46-58) a single-session session key among said connected terminals; and 

initiating a secure teleconference call among each of said interconnected terminals to provide for secure 

voice and data communication among said interconnected terminals. 

18. A secure teleconferencing method via a switching network for establishing a secure teleconference 
among a plurality of interconnected terminals (A-D) which have been previously certified by a common 
authority, said secure teleconferencing method comprising the steps of: 
selecting (3-6,11,12) any one of said connected terminals to be a master terminal; 
selecting (7,9,10,13,16) all of said connected terminals, except said master terminal, as slave terminals; 
establishing (44,46) by each terminal that each of said remaining interconnected terminals is certified by a 
common certification authority; and 

directly developing (46-58) a single-session session key among said connected terminals for providing 
secure voice and data communication among said interconnected terminals. 
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